Sunday, September 08, 2013

No, the NSA can't spy on arbitrary smartphone data

The NSA has been exposed as evil and untrustworthy, but so has the press. The press distorts every new revelation, ignoring crucial technical details, and making it sound worse than it really is. An example is this Der Spiegel story claiming "NSA Can Spy On Smartphone Data", such as grabbing your contacts or SMS/email stored on the phone. Update: That was a teaser story, the actual story appearing tomorrow (available here) has more facts and fewer speculations than the teaser story.
The NSA can't reach out through the ether and touch your phone. Instead, they have a limited number of ways to reach your phone. The article describes only two methods: when you sync your phone via USB cable to your computer, and hacking BlackBerry's servers.

By design, when you "sync" your phone, it makes a duplicate copy your contacts, SMS messages, and email. That's the entire point of syncing: to make a backup copy of everything on your phone. It's not really that the NSA has hacked your phone, the underlying principle here is that the NSA has hacked your desktop.

In addition, anything that the NSA didn't get via normal, allowed syncing, the NSA can get via jailbreaking. Jailbreaking is when hackers unlock phones like the iPhone so that they can install software Apple doesn't approve of. Every time I buy a new phone, the first thing I do is jailbreak and install unapproved software. Every time somebody releases a jailbreak for the iPhone, the NSA quietly copies the jailbreak into their malware. Indeed, some researchers simply sell their jailbreaks to the NSA instead of releasing them to the public.

The story hypes the NSA's powers of offense by hyping BlackBerry's powers of defense, by claiming BlackBerry's mail system "is known to be very secure". Known by whom, exactly. Can you cite a source? Any source? I'm an expert in cybersec, I know lots of experts, and I nobody I know thinks BlackBerry's mail system is very secure. Indeed, it's rife with vulnerabilities, and that it's not "end-to-end" is an enormous (and well known) security flaw. It's only benefit is that it provides an encrypted link to the corporate email server, it's that link which is "known to be secure", not the email service itself.

As an offside, searching for all the use of passive voice is one of the easiest ways to find all the flaws in a story, when the journalist is making things up or being lazy.

The actual facts of the NSA's surveillance are disturbing enough. We don't need the press to exaggerate them. Moreover, it's an issue of trust. #Snowdengate has revealed the NSA to be an untrustworthy institution (and possibly our entire government), but it's also revealing the press to be untrustworthy as well.

Update: So how would NSA get your phone? Here are some ways;

Through the sync process with your desktop -- but they'd need to "put a virus" on your desktop first (as described above)

Through the Internet against a "service" on your phone -- except that your phone has almost no services that aren't filtered.

Through the Internet against a "client" on your phone, like a browser -- which requires 0days, and that you visit their website.

Through trojan apps on an app store -- hard not to get discovered, and they must convince you to download the app.

Locally via WiFi -- lots of good ways, but if they are close enough for WiFi, they are close enough for better monitoring of you.

Locally via USB -- just as trojaned chargers at airports (which you should avoid using).

Through an over-the-air update from the cellphone carrier like AT&T or Vodaphone -- requires complicity with the carrier, which is near impossible.

Through an update from your phone vendor -- again requires complicity with the vendor.

Through a trojaned component on the phone -- requires bribing a chip manufacturer like Broadcom to put special features in their chips or drivers.

Controlling your carrier's servers to get metadata -- requires either a subpoena, hacking, or bribing the support, exposing them (which indeed was done by Snowden).

@eqe: "Exploit one of the many known 0day in the 3G baseband, leverage to APU code execution" -- in other words, hack the cell chip in the phone, which is essentially a separate computer from the rest of the cellphone, this requires fairly local access, to be within radio range.

Controlling BlackBerry enterprise servers -- such as by hacking or bribing somebody.

The point is that there is a long list of scenarios where the NSA can get you -- but at the same time, each has significant hurdles for the NSA to overcome -- especially if the NSA wants to stay undetected. The above story gets only part of the equation.

For example, let's say that there is a suspect terrorist in Pakistan with a BlackBerry working for a large Pakistan construct firm. That firm outsources it's IT to China. Therefore, the NSA bribes somebody in China to have them put a backdoor on the BlackBerry Enterprise Server. This then allows them to eavesdrop on the guy's email. It's a complicates sequence of events that comes down to "we got his phone", but what gets them there is classic spycraft that has little to do with phones.

Update: @ChrisEng points out that there's a difference between normal BlackBerry Internet Services (BIS) provided by your phone carrier, and BlackBerry Enterprise Services (BES) provided by your company. BES is the stronger set of services, where effectively your phone creates a VPN to your company, and your company controls all your emails, what apps you can have on your phone, and so on.

Update to update: the story I link above doesn't clarify BES or BIS, but the full story does clarify BES.

Thanks for pointing out the lazy journalism of Der Spiegel regarding the "NSA pwns all ur smartphones" article. However, you say that getting the cooperation of carriers is "almost impossible". That's totally not true, and is one of the most important lessons of the Snowden leaks: the carriers and service providers will almost always bend over backwards to comply with government requests.

Last week Bruce Schneier seemed to say that he thought NSA would be technically able to intercept a download request on the fly from say Sourceforge and substitute their own version of a software package (a MITM) pretty easily. If that is the case, I don't see any really high bar to them being able to do that with any updates which go to your phone either. Keys, you say? Validation? Schneier also seems to be of the opinion that any need signing keys could be stolen pretty easily.

What about a phone connected to a home wifi network? Could they gain remote access to one of the computers and then plant bugging software on the iphone through the compromised wifi network? If they could, could they then monitor your calls or only applications/data usage?